WorkingWith PrivateKeys and Certicates

Usecertutil to create self-signed certicates and to import or export certicates. To import or
exportprivate keys, use the pk12util utility. For more details, see “Using Network Security
Services(NSS) Tools” on page 116
Caution– In Enterprise Server, do not modify the NSS password directly with the NSS tools
certutiland modutil. If you do so, security data in Enterprise Server might be corrupted.
ConguringJ2SE 5.0 PKCS#11 Providers
EnterpriseServer relies on J2SE PKCS#11 providers to access keys and certicates that are
locatedin PKCS#11 tokens at runtime. By default, Enterprise Server congures a J2SE PKCS#11
providerfor the NSS soft token. This section describes how to override the default
congurationfor the J2SE PKCS#11 provider.
InEnterprise Server, the following default PKCS#11 conguration parameters are generated for
eachPKCS#11 token.
Congurationfor the default NSS soft token:
name=internal
library=${com.sun.enterprise.nss.softokenLib}
nssArgs="configdir=’${com.sun.appserv.nss.db}’
certPrefix=’’ keyPrefix=’’ secmod=’secmod.db’"
slot=2
omitInitialize = true
Congurationfor the SCA 1000 hardware accelerator:
name=HW1000
library=/opt/SUNWconn/crypto/lib/libpkcs11.so
slotListIndex=0
omitInitialize=true
Thesecongurations conform to the syntax described in the Java PKCS#11 Reference Guide.
Note– The name parameter has no requirements other than that it must be unique. Certain
olderversions of J2SE 5.0 support alphanumeric characters only.
Youcan override the default conguration parameters by creating a custom conguration le.
Forexample, you can explicitly disable the RSA Cipher and RSA Key Pair Generator in
SCA–1000.For details on disabling the RSA Cipher and RSA Key Pair Generator, see
http://www.mozilla.org/projects/security/pki/nss/tools.
UsingHardwareCrypto Accelerator With Enterprise Server
SunGlassFishEnterprise Ser ver2.1 Administration Guide • December 2008124